Cisco ASA 9.4 Code Release

This code release brings with it a couple of interesting features and new models to the plethora of Cisco ASA devices already on offer. The new devices added to the ASA family are:

  • ASA 5506W-X — ASA 5506 with inbuilt Wireless Access Point
  • ASA 5506H-X — ASA 5506 Hardened Edition (Ruggedized)
  • ASA 5508-X
  • ASA 5516-X

Continue reading “Cisco ASA 9.4 Code Release”

Why use Cisco ISE Policy Sets in your deployments?

Cisco ISE has a feature called Policy Sets, the purpose of policy sets is to give you the ability to logically group authentication and authorization policies within the same logical entity. So for example you could have separate authentication and authorization policies for wired/wireless/vpn or another use case for your business. By default Policy Sets is not enabled on a vanilla Cisco ISE deployment and the Policy Set is defined as default on a vanilla installation (more on this later).

Continue reading “Why use Cisco ISE Policy Sets in your deployments?”

ASA – TCP Ping

In Cisco ASA version 8.4(1) a great new troubleshooting tool was introduced; TCP Ping. It basically does what you think it does, it sends a TCP SYN to a IP Address on a specified destination port to verify bi-directional TCP connectivity from an ASA interface. If the ASA receives a TCP SYN-ACK it will display as a successful ping.

Continue reading “ASA – TCP Ping”

ASA Embedded Event Manager (EEM)

As of ASA version 9.2(1), Cisco has introduced the EEM to the ASA feature set. For any of you familiar with IOS, this is the same functionality now available on the ASA.

Having the EEM functionality on the ASA is fantastic for automating pretty much anything, one such thing I needed to automate was to execute a “show run” when a user logs into the ASA and another “show run” when the user logs out. This is especially great on those devices that are under shared control and gives you as the engineer a log of a before and after, which can be great to compare exactly what was changed by a given engineer.

Continue reading “ASA Embedded Event Manager (EEM)”

ISE 1.3: Endpoints/NAD —> ISE Communication

Quick diagram of ports and protocols used for communication between endpoints/network devices to ISE servers (Monitoring/Policy Service Node). I wanted to put this up as this is a discussion I have with customers when talking about which ports are used and for what. Hope it helps Continue reading “ISE 1.3: Endpoints/NAD —> ISE Communication”

ISE 1.3: Chain 802.1x with Centralised Web Authentication (CWA)

In Identity Services Engine version 1.3, Cisco has introduced the ability to chain 802.1x authentication with Central Web Authentication (CWA) and make an authorisation decision based on the two identities. The first identity used is the device identity (Certificate) and the second, the credentials used for the CWA. Continue reading “ISE 1.3: Chain 802.1x with Centralised Web Authentication (CWA)”

ISE 1.3: Endpoint Certificate Renewal

One of the greatest things about ISE 1.3 is its internal Certificate Authority (CA) and it’s ability to issue certificates to clients. When you provision certificates, you always have an expiry date set, which is great until they expire and all your great ISE policies deny access to a perfectly valid device/user.

Continue reading “ISE 1.3: Endpoint Certificate Renewal”

Cisco Wireless: Locating an Access Point via it’s LED

There may be a time, when you are required to locate an access point physically at a site. However the access point is out of reach and has not been labelled. So what can you do?

Well the Cisco Wireless LAN Controller allows you to make the LED flash on the AP, so you can  locate it. To do this, you must SSH into the controller that has the AP registered to it.

Continue reading “Cisco Wireless: Locating an Access Point via it’s LED”